restrict user result set by the scoped group
This commit is contained in:
parent
3b01d23af0
commit
db0cf70970
|
@ -13,11 +13,17 @@ module Gitlab
|
||||||
# 1: get all groups the current user has access to
|
# 1: get all groups the current user has access to
|
||||||
groups = GroupsFinder.new(current_user).execute.joins(:users)
|
groups = GroupsFinder.new(current_user).execute.joins(:users)
|
||||||
|
|
||||||
# 2: get all users the current user has access to (-> `SearchResults#users`)
|
# 2: Get the group's whole hierarchy
|
||||||
|
group_users = @group.direct_and_indirect_users
|
||||||
|
|
||||||
|
# 3: get all users the current user has access to (->
|
||||||
|
# `SearchResults#users`), which also applies the query.
|
||||||
users = super
|
users = super
|
||||||
|
|
||||||
# 3: filter for users that belong to the previously selected groups
|
# 4: filter for users that belong to the previously selected groups
|
||||||
users.where(id: groups.select('members.user_id'))
|
users
|
||||||
|
.where(id: group_users.select('id'))
|
||||||
|
.where(id: groups.select('members.user_id'))
|
||||||
end
|
end
|
||||||
# rubocop:enable CodeReuse/ActiveRecord
|
# rubocop:enable CodeReuse/ActiveRecord
|
||||||
end
|
end
|
||||||
|
|
|
@ -55,5 +55,15 @@ describe Gitlab::GroupSearchResults do
|
||||||
|
|
||||||
expect(result).to eq []
|
expect(result).to eq []
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it 'does not return the user belonging to an unrelated group' do
|
||||||
|
user = create(:user, username: 'gob_bluth')
|
||||||
|
unrelated_group = create(:group)
|
||||||
|
create(:group_member, :developer, user: user, group: unrelated_group)
|
||||||
|
|
||||||
|
result = described_class.new(user, anything, group, 'gob').objects('users')
|
||||||
|
|
||||||
|
expect(result).to eq []
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue